Bash Vulnerability CVE-2014-6271 & CVE-2014-7169 (Shellshock): remote code execution through bash

Elizabeth -

This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock.

Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.)

 

[UPDATED Tues Oct 2 2:54am UTC 2014]

AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud. Updates to pkgsrc bash are also now available in SmartOS pkgsrc repositories (please read details below under "Joyent Public Cloud"). 

SmartDataCenter customers should have received a notification by ZenDesk ticket with further instructions.

 

The impact of these vulnerabilities is as follows:

Joyent Public Cloud

  1. Joyent has applied a patch to the underlying platform of all our servers to address this bug. Users of many SmartOS VMs will NOT need to take any action. If the command: which bash returns "/usr/bin/bash", no action is required on your part. 

  2. Joyent has updated bash in pkgsrc. Please note some older pkgrsc repositories either do not contain bash or will not be patched due the their age, see the table below for details. The package that includes the fix to both CVE-2014-6271 & CVE-2014-7169 is called "bash-4.3.025nb2". If the command: which bash returns "/opt/local/bin/bash" you will need to either update the pkgsrc provided bash by running: "pkgin -f up && pkgin in bash" or remove the pkgsrc version via "pkgin rm bash". The latter command will remove the pkgsrc version and the machine will fall back to the patched platform provided version.
  3. Users of Linux VMs on Joyent's Public Cloud will need to apply the necessary updates, based on the distribution they are using. Please follow the appropriate link below:

Ubuntu: http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it

Fedora: http://fedoramagazine.org/flaw-discovered-in-the-bash-shell-update-your-fedora-systems/

Debian: https://www.debian.org/security/2014/dsa-3032

CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html

Pkgsrc Repo Status User Action Required
2010Q4  Bash not in Repo  None
2011Q1  Wont be patched  Remove bash. See below
2011Q2  Wont be patched  Remove bash. See below
2011Q3  Wont be patched  Remove bash. See below
2011Q4  Wont be patched  Remove bash. See below
2012Q2  Wont be patched  Remove bash. See below
2012Q3  Wont be patched  Remove bash. See below
2012Q4 and later  Patch applied  Re-install Bash. See below

Removing bash

1. Check if any users are set to use pkgsrc bash

getent passwd | grep /opt/local/bin/bash

2. If you have users with pkgsrc bash as their shell, change it to /usr/bin/bash

usermod -s /usr/bin/bash <login>

3. Remove pkgsrc bash

pkgin rm bash

 

Re-installing pkgsrc

pkgin -f up && pkgin in bash

 

SmartDataCenter Customers

  • Both a hot-fix service and new platform image (for SDC 7 only) are now available to enable customers to update their SDC installations. Action will be required by customers to apply these fixes. Instructions for applying the hot-fix (for both SDC 6 and SDC 7) as well as applying the latest platform image for SDC 7 have been sent by ZenDesk to SDC customers. If you have NOT received instructions, you can open a support ticket at https://help.joyent.com or by email to support@joyent.com to request the link and instructions.
  • SmartDataCenter customers will need to advise their end users of this vulnerability, and advise them of any actions their end users will need to take. We will follow up with additional details as they are available.

At any time, please do not hesitate to contact our Support team by raising a ticket at https://help.joyent.com or by email to support@joyent.com if you have any questions or concerns.

Have more questions? Submit a request

0 Comments

Article is closed for comments.